Cryptographic Permutation Research Articles

A degree bound for the c-boomerang uniformity of permutation monomials

AbstractLet $$\mathbb{F}_q$$ F q be a finite field of characteristic p. In this paper we prove that the c-Boomerang Uniformity, $$c \ne 0$$ c ≠ 0 , for all permutation monomials $$x^d$$ x d , where $$d > 1$$ d > 1 and $$p \not \mid d$$ p ∤ d , is bounded by $$\left\{ \begin{array}{ll} d^2, & c^2 \ne 1, \\ d \cdot (d - 1), & c = - 1, \\ d \cdot (d - 2), & c = 1 \end{array} \right\} .$$ d 2 , c 2 ≠ 1 , d · ( d - 1 ) , c = - 1 , d · ( d - 2 ) , c = 1 . Further, we utilize this bound to estimate the c-boomerang uniformity of a large class of generalized triangular dynamical systems, a polynomial-based approach to describe cryptographic permutations of $$\mathbb{F}_{q}^{n}$$ F q n , including the well-known substitution–permutation network.

Propagation properties of a non-linear mapping based on squaring in odd characteristic

Many modern cryptographic primitives for hashing and (authenticated) encryption make use of constructions that are instantiated with an iterated cryptographic permutation that operates on a fixed-width state consisting of an array of bits. Often, such permutations are the repeated application of a relatively simple round function consisting of a linear layer and a non-linear layer. These constructions do not require that the underlying function is a permutation and they can plausibly be based on a non-invertible transformation. Recently, Grassi proposed the use of non-invertible mappings operating on arrays of digits that are elements of a finite field of odd characteristic for so-called MPC-/FHE-/ZK-friendly symmetric cryptographic primitives. In this work, we consider a mapping that we call γ\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\gamma $$\\end{document} that has a simple expression and is based on squaring. We discuss, for the first time, the differential and linear propagation properties of γ\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\gamma $$\\end{document} and observe that these follow the same rules up to a relabeling of the digits. This is an intriguing property that, as far as we know, only exists for γ\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\gamma $$\\end{document} and the binary mapping χ3\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\chi _{_{3}}$$\\end{document} that is used in the cryptographic permutation Xoodoo. Moreover, we study the implications of its non-invertibility on differentials with zero output difference and on biases at the output of the γ\\documentclass[12pt]{minimal} \\usepackage{amsmath} \\usepackage{wasysym} \\usepackage{amsfonts} \\usepackage{amssymb} \\usepackage{amsbsy} \\usepackage{mathrsfs} \\usepackage{upgreek} \\setlength{\\oddsidemargin}{-69pt} \\begin{document}$$\\gamma $$\\end{document} mapping and show that they are as small as they can possibly be.

Security Evaluation of Initialization Phases and Round Functions of Rocca and AEGIS

Authenticated-Encryption with Associated-Data (AEAD) plays an important role in guaranteeing confidentiality, integrity, and authenticity in network communications. To meet the requirements of high-performance applications, several AEADs make use of AES New Instructions (AES-NI), which can conduct operations of AES encryption and decryption dramatically fast by hardware accelerations. At SAC 2013, Wu and Preneel proposed an AES-based AEAD scheme called AEGIS-128/128L/256, to achieve high-speed software implementation. At FSE 2016, Jean and Nikolić generalized the construction of AEGIS and proposed more efficient round functions. At ToSC 2021, Sakamoto et al. further improved the constructions of Jean and Nikolić, and proposed an AEAD scheme called Rocca for beyond 5G. In this study, we first evaluate the security of the initialization phases of Rocca and AEGIS family against differential and integral attacks using MILP (Mixed Integer Linear Programming) tools. Specifically, according to the evaluation based on the lower bounds for the number of active S-boxes, the initialization phases of AEGIS-128/128L/256 are secure against differential attacks after 4/3/6 rounds, respectively. Regarding integral attacks, we present the integral distinguisher on 6 rounds and 6/5/7 rounds in the initialization phases of Rocca and AEGIS-128/128L/256, respectively. Besides, we evaluate the round function of Rocca and those of Jean and Nikolić as cryptographic permutations against differential, impossible differential, and integral attacks. Our results indicate that, for differential attacks, the growth rate of increasing the number of active S-boxes in Rocca is faster than those of Jean and Nikolić. For impossible differential and integral attacks, we show that the round function of Rocca achieves the sufficient level of the security against these attacks in smaller number of rounds than those of Jean and Nikolić.

Mathematical problems and solutions of the Ninth International Olympiad in Cryptography NSUCRYPTO

Every year the International Olympiad in Cryptography Non-Stop University CRYPTO (NSUCRYPTO) offers mathematical problems for university and school students and, moreover, for professionals in the area of cryptography and computer science. The main goal of NSUCRYPTO is to draw attention of students and young researchers to modern cryptography and raise awareness about open problems in the field. We present problems of NSUCRYPTO’22 and their solutions. There are 16 problems on the following topics: ciphers, cryptosystems, protocols, e-money and cryptocurrencies, hash functions, matrices, quantum computing, S-boxes, etc. They vary from easy mathematical tasks that could be solved by school students to open problems that deserve separate discussion and study. So, in this paper, we consider several open problems on three-pass protocols, public and private keys pairs, modifications of discrete logarithm problem, cryptographic permutations, and quantum circuits.

Rotational Differential-Linear Cryptanalysis Revisited

The differential-linear attack, combining the power of the two most effective techniques for symmetric-key cryptanalysis, was proposed by Langford and Hellman at CRYPTO 1994. From the exact formula for evaluating the bias of a differential-linear distinguisher (JoC 2017), to the differential-linear connectivity table technique for dealing with the dependencies in the switch between the differential and linear parts (EUROCRYPT 2019), and to the improvements in the context of cryptanalysis of ARX primitives (CRYPTO 2020, EUROCRYPT 2021), we have seen significant development of the differential-linear attack during the last four years. In this work, we further extend this framework by replacing the differential part of the attack by rotational-XOR differentials. Along the way, we establish the theoretical link between the rotational-XOR differential and linear approximations and derive the closed formula for the bias of rotational differential-linear distinguishers, completely generalizing the results on ordinary differential-linear distinguishers due to Blondeau, Leander, and Nyberg (JoC 2017) to the case of rotational differential-linear cryptanalysis. We then revisit the rotational cryptanalysis from the perspective of differential-linear cryptanalysis and generalize Morawiecki et al.’s technique for analyzing Keccak, which leads to a practical method for estimating the bias of a (rotational) differential-linear distinguisher in the special case where the output linear mask is a unit vector. Finally, we apply the rotational differential-linear technique to the cryptographic permutations involved in FRIET, Xoodoo, Alzette, and SipHash. This gives significant improvements over existing cryptanalytic results, or offers explanations for previous experimental distinguishers without a theoretical foundation. To confirm the validity of our analysis, all distinguishers with practical complexities are verified experimentally. Moreover, we discuss the possibility of applying the rotational differential-linear technique to S-box-based designs or keyed primitives, and propose some open problems for future research.

Hardware-oriented optimization of Bloom filter algorithms and architectures for ultra-high-speed lookups in network applications

This paper optimizes Bloom filter algorithms and hardware architectures for high-speed implementation on FPGAs. A Bloom filter is a data structure that is used to check whether input search data are present in a table of stored data. Bloom filters are extensively used for monitoring network traffic. Improving the speed of Bloom filters can therefore have a significant impact on the speed of many network applications. The most important components determining the speed of Bloom filters are hash functions. While hash functions in Bloom filters do not require strong cryptographic properties, they do need a minimized computational delay. In this work, we evaluate and compare the performance and resource utilization of different Bloom filter algorithms and architectures as well as non-cryptographic hash functions on an FPGA. We also propose a new non-cryptographic hash function, called Xoodoo-NC, derived from the cryptographic permutation Xoodoo. Xoodoo-NC is a reduced-round, reduced-state version of Xoodoo, inheriting Xoodoo’s desired avalanche properties and low logical depth, resulting in an ultra-low-latency non-cryptographic hash function. We evaluate the performance of Bloom filter architectures based on Xoodoo-NC on a Xilinx UltraScale+ FPGA and we compare the performance and resource occupation to existing Bloom filter implementations. We additionally compare our results to memories that use the built-in CAM cores in Xilinx UltraScale+ FPGAs. Our proposed algorithmic and architectural advances lead to Bloom filters that, to the best of our knowledge, outperform all other FPGA-based solutions.

Influence of the Linear Layer on the Algebraic Degree in SP-Networks

We consider SPN schemes, i.e., schemes whose non-linear layer is defined as the parallel application of t ≥ 1 independent S-Boxes over F2n and whose linear layer is defined by the multiplication with a (n · t) × (n · t) matrix over F2. Even if the algebraic representation of a scheme depends on all its components, upper bounds on the growth of the algebraic degree in the literature usually only consider the details of the non-linear layer. Hence a natural question arises: (how) do the details of the linear layer influence the growth of the algebraic degree? We show that the linear layer plays a crucial role in the growth of the algebraic degree and present a new upper bound on the algebraic degree in SP-networks. As main results, we prove that in the case of low-degree round functions with large S-Boxes: (a) an initial exponential growth of the algebraic degree can be followed by a linear growth until the maximum algebraic degree is reached; (b) the rate of the linear growth is proportional to the degree of the linear layer over Ft2n. Besides providing a theoretical insight, our analysis is particularly relevant for assessing the security of the security of cryptographic permutations designed to be competitive in applications like MPC, FHE, SNARKs, and STARKs, including permutations based on the Hades design strategy. We have verified our findings on small-scale instances and we have compared them against the currently best results in the literature, showing a substantial improvement of upper bounds on the algebraic degree in case of low-degree round functions with large S-Boxes.

Proving Resistance Against Infinitely Long Subspace Trails: How to Choose the Linear Layer

Designing cryptographic permutations and block ciphers using a substitutionpermutation network (SPN) approach where the nonlinear part does not cover the entire state has recently gained attention due to favorable implementation characteristics in various scenarios.For word-oriented partial SPN (P-SPN) schemes with a fixed linear layer, our goal is to better understand how the details of the linear layer affect the security of the construction. In this paper, we derive conditions that allow us to either set up or prevent attacks based on infinitely long truncated differentials with probability 1. Our analysis is rather broad compared to earlier independent work on this problem since we consider (1) both invariant and non-invariant/iterative trails, and (2) trails with and without active S-boxes.For these cases, we provide rigorous sufficient and necessary conditions for the matrix that defines the linear layer to prevent the analyzed attacks. On the practical side, we present a tool that can determine whether a given linear layer is vulnerable based on these results. Furthermore, we propose a sufficient condition for the linear layer that, if satisfied, ensures that no infinitely long truncated differential exists. This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that defines the linear layer. Besides P-SPN schemes, our observations may also have a crucial impact on the Hades design strategy, which mixes rounds with full S-box layers and rounds with partial S-box layers.

On the Resilience of Even-Mansour to Invariant Permutations

Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in 2^{128} queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in 2^{50} queries), the 1024-bit CubeHash permutation (attack in 2^{256} queries), and the 384-bit Gimli permutation without round constants (attack in 2^{96} queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.

Improved Attacks on sLiSCP Permutation and Tight Bound of Limited Birthday Distinguishers

Limited birthday distinguishers (LBDs) are widely used tools for the cryptanalysis of cryptographic permutations. In this paper we propose LBDs on several variants of the sLiSCP permutation family that are building blocks of two round 2 candidates of the NIST lightweight standardization process: Spix and SpoC. We improve the number of steps with respect to the previously known best results, that used rebound attack. We improve the techniques used for solving the middle part, called inbound, and we relax the external conditions in order to extend the previous attacks. The lower bound of the complexity of LBDs has been proved only against functions. In this paper, we prove for the first time the bound against permutations, which shows that the known upper bounds are tight.

Beyond-Birthday-Bound Secure Cryptographic Permutations from Ideal Ciphers with Long Keys

Coron et al. showed a construction of a 3-round 2n-bit cryptographic permutation from three independent n-bit ideal ciphers with n-bit keys (TCC 2010). Guo and Lin showed a construction of a (2d − 1)-round dn-bit cryptographic permutation from 2d − 1 independent n-bit ideal ciphers with kn-bit keys, where d = k + 1 (Cryptography and Communications, 2015). These constructions have an indifferentiability security bound of O(q2/2n) against adversaries that make at most q queries. The bound is commonly referred to as birthday-bound security. In this paper, we show that a 5-round version of Coron et al.’s construction and (2d+1)-round version of Guo and Lin’s construction yield a cryptographic permutation with an indifferentiability security bound of O(q2/22n), i.e., by adding two more rounds, these constructions have beyond-birthday-bound security. Furthermore, under the assumption that q ≤ 2n, we show that Guo and Lin’s construction with 2d+2l−1 rounds yields a cryptographic permutation with a security bound of O(q2/2(l+1)n), where 1 ≤ l ≤ d − 1, i.e., the security bound exponentially improves by adding every two more rounds, up to 4d − 3 rounds. To the best of our knowledge, our result gives the first cryptographic permutation that is built from n-bit ideal ciphers and has a full n-bit indifferentiability security bound.

Beyond-Birthday-Bound Secure Cryptographic Permutations from Ideal Ciphers with Long Keys

Beyond-Birthday-Bound Secure Cryptographic Permutations from Ideal Ciphers with Long Keys

Security of the Suffix Keyed Sponge

We formalize and analyze the general suffix keyed sponge construction, a pseudorandom function built on top of a cryptographic permutation. The construction hashes its data using the (keyless) sponge construction, transforms part of the state using the secret key, and generates the tag from the output of a final permutation call. In its simplest form, if the key and tag size are at most the rate of the sponge, one can see the suffix keyed sponge as a simple sponge function evaluation whose input is the plaintext appended with the key. The suffix keyed sponge is, however, much more general: the key and tag size may exceed the rate without any need to make extra permutation calls. We prove that the suffix keyed sponge construction achieves birthday-bound PRF security in the capacity, even if key and tag size exceed the rate. Furthermore, we prove that if the absorption of the key into the state happens in a leakage resilient manner, the suffix keyed sponge itself is leakage resilient as well. Our findings show that the suffix keyed sponge compares favorably with the hash-then-MAC construction. For instance, to reach a security level of k bits, the side-channel protected component in the suffix keyed sponge just needs to process k bits of input besides the key, whereas schemes following the hash-then-MAC construction need a side-channel protected MAC function that processes 2k bits of input besides the key. Moreover, even if we just consider black-box attacks, the MAC function in a hash-then-MAC scheme needs to be cryptographically strong whereas in the suffix keyed sponge the key may be absorbed by a simple XOR. The security proofs are performed using the H-coefficient technique, and make effective use of the multicollision limit function results of Daemen et al. (ASIACRYPT 2017), both for arguing that state manipulation larger than the rate is tolerated after key processing and for upper bounding the amount of leakage an attacker may gain about the secret key.

Nonlinear Approximations in Cryptanalysis Revisited

This work studies deterministic and non-deterministic nonlinear approximations for cryptanalysis of block ciphers and cryptographic permutations and embeds it into the well-understood framework of linear cryptanalysis. For a deterministic (i.e., with correlation ±1) nonlinear approximation we show that in many cases, such a nonlinear approximation implies the existence of a highly-biased linear approximation. For non-deterministic nonlinear approximations, by transforming the cipher under consideration by conjugating each keyed instance with a fixed permutation, we are able to transfer many methods from linear cryptanalysis to the nonlinear case. Using this framework we in particular show that there exist ciphers for which some transformed versions are significantly weaker with regard to linear cryptanalysis than their original counterparts.

The design of Xoodoo and Xoofff

This paper presents Xoodoo, a 48-byte cryptographic permutation with excellent propagation properties. Its design approach is inspired by Keccak-p, while it is dimensioned like Gimli for efficiency on low-end processors. The structure consists of three planes of 128 bits each, which interact per 3-bit columns through mixing and nonlinear operations, and which otherwise move as three independent rigid objects. We analyze its differential and linear propagation properties and, in particular, prove lower bounds on the weight of trails using the tree search-based technique of Mella et al. (ToSC 2017). Xoodoo’s primary target application is in the Farfalle construction that we instantiate for the doubly-extendable cryptographic keyed (or deck) function Xoofff. Combining a relatively narrow permutation with the parallelism of Farfalle results in very efficient schemes on a wide range of platforms, from low-end devices to high-end processors with vector instructions.

Towards a Cryptographic Minimal Design: The sLiSCP Family of Permutations

The security of highly resource constrained applications is often viewed in the literature from a single aspect of a specific cryptographic primitive. More precisely, most of the proposed lightweight cryptographic primitives focus on providing a single functionality within the available hardware area dedicated for security purposes. In this paper, we argue that for such applications, a cryptographic primitive that follows the cryptographic minimal design strategy maybe the only realistically adopted security solution where there is a constrained GE budget for all security functionalities. Indeed, it is reasonable, if not desirable, for the adopted cryptographic design to have well justified building components and to provide minimal overhead for multiple cryptographic functionalities including encryption, hashing, authentication, and pseudorandom bit generation. Following such a strategy, we propose the $\sf{sLiSCP}$ family of lightweight cryptographic permutations which employs two of the most hardware efficient and extensively cryptanalyzed constructions, namely a 4-subblock Type-2 Generalized Feistel-like Structure (GFS) and round-reduced unkeyed Simeck. In addition to the hardware efficiency, we follow restrictive security design goals which enable us to provide resistance against differential and linear cryptanalysis, as well as guaranteed resistance to diffusion-based, algebraic, and self-symmetry distinguishers, and accordingly, we claim that there exist no structural distinguishers for $\sf{sLiSCP}$ - $b$ with a complexity below $2^{b/2}$ where $b$ is the state size. Moreover, we present the $\sf{sLiSCP}$ duplex sponge mode to illustrate how the permutations can be used in a unified design that provides (authenticated) encryption, hashing, and pseudorandom bit generation functionalities. Finally, we report two efficient parallel hardware implementations for the $\sf{sLiSCP}$ unified duplex sponge mode when using $\sf{sLiSCP}$ -192 (resp. $\sf{sLiSCP}$ -256) in CMOS $65$ nm ASIC with area of 2289 (resp. 3039) GE and a throughput of 29.62 (resp. 44.44) kbps, and their areas in CMOS $130$ nm are 2498 (resp. 3319) GE.

S L I SCP-light

The emerging areas in which highly resource constrained devices are interacting wirelessly to accomplish tasks have led manufacturers to embed communication systems in them. Tiny low-end devices such as sensor networks nodes and Radio Frequency Identification (RFID) tags are of particular importance due to their vulnerability to security attacks, which makes protecting their communication privacy and authenticity an essential matter. In this work, we present a lightweight do-it-all cryptographic design that offers the basic underlying functionalities to secure embedded communication systems in tiny devices. Specifically, we revisit the design approach of the sLiSCP family of lightweight cryptographic permutations, which was proposed in SAC 2017. sLiSCP is designed to be used in a unified duplex sponge construction to provide minimal overhead for multiple cryptographic functionalities within one hardware design. The design of sLiSCP follows a 4-subblock Type-2 Generalized Feistel-like Structure (GFS) with unkeyed round-reduced Simeck as the round function, which are extremely efficient building blocks in terms of their hardware area requirements. In S L I SCP-light, we tweak the GFS design and turn it into an elegant Partial Substitution-Permutation Network construction, which further reduces the hardware areas of the S L I SCP permutations by around 16% of their original values. The new design also enhances the bit diffusion and algebraic properties of the permutations and enables us to reduce the number of steps, thus achieving a better throughput in both the hashing and authentication modes. We perform a thorough security analysis of the new design with respect to its diffusion, differential and linear, and algebraic properties. For S L I SCP-light-192, we report parallel implementation hardware areas of 1,820 (respectively, 1,892)GE in CMOS 65 nm (respectively, 130 nm ) ASIC. The areas for S L I SCP-light-256 are 2,397 and 2,500GE in CMOS 65 nm and 130 nm ASIC, respectively. Overall, the unified duplex sponge mode of S L I SCP-light-192, which provides (authenticated) encryption and hashing functionalities, satisfies the area (1,958GE), power (3.97μ W ), and throughput (44.4kbps) requirements of passive RFID tags.

Impossible differential attack on Simpira v2

Simpira v2 is a family of cryptographic permutations proposed at ASIACRYPT 2016, and can be used to construct high throughput block ciphers by using the Even-Mansour construction, permutation-based hashing, and wide-block authenticated encryption. This paper shows a 9-round impossible differential of Simpira-4. To the best of our knowledge, this is the first 9-round impossible differential.To determine some efficient key recovery attacks on its block cipher mode (Even-Mansour construction with Simpira-4), we use some 6/7-round shrunken impossible differentials. Based on eight 6-round impossible differentials,we propose a series of 7-round key recovery attacks on the block cipher mode; each 6-round impossible differential helps recover 32 bits of the master key (512 bits), and in total, half of the master key bits are recovered. The attacks require $2^{57}$ chosen plaintexts and $2^{57}$ 7-round encryptions.Furthermore, based on ten 7-round impossible differentials, we add one round on the top or at the bottom to mount ten 8-round key recovery attacks on the block cipher mode. This helps recover the full key space (512 bits) with a data complexity of $2^{170}$ chosen plaintexts and time complexity of $2^{170}$ 8-round encryptions. Those are the first attacks on the round-reduced Simpira v2 and do not threaten the Even-Mansour mode with the full 15-round Simpira-4.